Video Screencast Help

Trojan.Gen.2

Created: 30 Nov 2010 • Updated: 19 Oct 2011 | 17 comments
This issue has been solved. See solution.

I am having problem getting rid of this trojan.  I am using Symantec Endpoint Protection ver. 11.0.6000.550.  

I keep on getting notice that Symantec has quarantine a bunch of  DWH****.tmp files.

I found this page <<http://securityresponse.symantec.com/security_response/detected_writeup.jsp?name=Trojan.Gen.2>> on Symantec website and have tried it without success.

Comments 17 CommentsJump to latest comment

pete_4u2002's picture

the issue is fixed in the RU6 MP1, upgrade the client to RU6 MP1 and let know if it solves your problem

DWHxxxx.tmp files are scanned and re-detected when new definitions arrive or during a scheduled scan

Fix ID: 1925607

Symptom: DWHxxxx.tmp files are scanned and re-detected when new definitions arrive or during a scheduled scan.

Solution: After extracting a quarantined item to a temp file, the file is deleted immediately after it is processed.

 

http://www.symantec.com/business/support/index?page=content&id=TECH103087&locale=en_US 

Ajit Jha's picture

Look for the Fix ID 1925607. This issue is FIXed in RU6

Regard's

Ajit Jha

Technical Consultant

ASC & STS

GeoGeo's picture

RU6 MP1 will fix some of the clients getting this issue but there are instances of people getting this issue even after upgrading to RU6 MP1.

Check your system for programs that auto index new items like windows indexing options (Control Panel > Indexing Options) and turn them off from indexing.

These temp files are created by SEP when it rescans the quarantined files after a definition update, and the indexing scans them at the same time causing SEP to identify the temp file created as a new Trojan and re-quarantines the new file creating duplicates.

Please review ideas and vote there could be something useful :)

https://www-secure.symantec.com/connect/security/ideas

 

TomVA's picture

Thank you for your help I installed the upgrade and have not seen it pop up in the last hours.  Thank you all for your help.

TruEye's picture

Hi, my OS is XP, SP2 and my Symantec AntiVirus is 10.1.8.8000.  Recently, my machine keeps pops up SAV notification which is telling Risk found file named APQ*.tmp have been quanrantined successfully.    Please help how to stop poping up the notification.

Thank you very much for any help,

 

smittywitty's picture

I have NIS 2008 installed and despite following the instructions, I get a message that NIS cannot remove this visus. Is there a fix in NIS 2008 or an upgrade to 2010/2011 my only option?  Thanks

Thomas K's picture

@ Smittywitty,

Have you tried scanning in Safe-mode?

 

Also try the Norton Power Easer Tool to remove these pesky bugs.

http://security.symantec.com/nbrt/npe.asp?lcid=103...

 

In the future you should post NIS inssues in the Norton COmmunity. This forum is for Enterprise Product support.

http://community.norton.com/norton/

Best,

Thomas

smittywitty's picture

Sorry for the wrong forum post. A search on Google dropped me right here. No, I have not tried a safe-mode scan. Will do that tonight. If that doesn't work I will then try the link to Power Eraser you provided. Thanks for your help.

StAlphonzo's picture

Hello, I'm still having this trojan gen2 virus warning even after upgrading to the latest version. The computer has been rebooted since the upgrade was applied using SEPM. I can see the latest version is installed in both the SEPM console and the installed programs list in Windows.

Someone also suggested WIndows indexing could be causing the problem. Indexing is turned off for the AppData directory (which is where the user temp directory is located.

Any other ideas?

Mithun Sanghavi's picture

Hello,

Have check the Security Featured Thread

Generic Trojan - DWH*.tmp in Temp folder

https://www-secure.symantec.com/connect/forums/generic-trojan-dwhtmp-temp-folder

 

 

If such detections continue after deleting old .tmp files and updating to SEP 11 RU6a, see the following:

Stop the Symantec service

  • Symantec Endpoint Protection

    • Click Start, then Run
    • Type: smc -stop
    • Click OK

 

 

  •  
  •  

     

    Deleting the files

    NOTE: The following instructions are to be done from the Command Prompt as attempting to perform the deletions from the Windows user interface may result in delays and application hangs due to the large amount of files that can reside in these locations. Please note that these instructions will delete the files in the targeted directories, not the directories themselves. Do not remove the directories themselves, only the contents of those directories.

     

    Open the Command Prompt

    Deleting files from User Temp folder

      • Click Start, then Run
      • Type: cmd
      • Click OK

       

      1. Type the following command in Command Prompt. (The following string will vary depending on the user name.) Replace "<NAMEOFUSER>" with the username of the desired Windows user you wish to empty the temp folder for:
        • Windows 2000/XP/2003
          DEL /F /Q "C:\Documents and Settings\<NAMEOFUSER>\Local Settings\Temp"
        • Windows Vista/7/2008
          DEL /F /Q "C:\Users\<NAMEOFUSER>\AppData\Local\Temp"
      2. Deleting the contents of the temp folder at the root of C:\
        • Type the following command in Command Prompt:

          DEL /F /Q C:\temp

      3. Deleting the contents of the Windows Temp folder
        • Type the following command in Command Prompt:

          DEL /F /Q C:\WINDOWS\Temp

      4. Deleting the contents of the xfer and/or xfer_temp directories
        • Type the following command in Command Prompt:
            • Windows 2000/XP/2003
              DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer_tmp\"

              DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer\"

            • Windows Vista/7/2008
              DEL /F /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\xfer_tmp\"

              DEL /F /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\xfer\"

     

    The Quarantine Folder

    NOTE: The following instructions are to be done from the Command Prompt as attempting to open the Quarantine folder in the Windows user interface may result in delays and Windows Explorer application hangs due to the large amount of files that can reside there.

     

      Delete the Quarantine Folder

      Type the following commands in the Command Prompt:

        • Windows 2000/XP/2003
          DEL /F /S /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine"

          RD /S /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine"

        • Windows Vista/7/2008
          DEL /F /S /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine"

          RD /S /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine"

        Recreate the Quarantine Folder

        Type the following command in Command Prompt:

          • Windows 2000/XP/2003
            MD "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine"
          • Windows Vista/7/2008
            MD "C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine"

        Start the Symantec service

        • Click Start, then Run
        • Type: smc -start
        • Click OK

         

         

           

           

        • If you have frequent recurrences of this issue and would like to disable re-scanning of the quarantine folder please follow these steps:
        •  

           

           

           

        • Disable re-scanning of quarantine files.
        • From the SEP-Manager:
          - Edit the Antivirus and Antispyware policy of affected clients.
          - In the policy editor click "Quarantine" on the left-hand menu.
          - On the general tab click "Do nothing" under the heading "When new Virus Definitions Arrive"

           

           

           

           

          Mithun Sanghavi
          Senior Consultant
          MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

          Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

          SOLUTION
          glentc's picture

          The only thing I would suggest is also deleting the Java cache folders.

          StAlphonzo's picture

          Your solution solved the problem for us. Thanks a ton.

          AndersonAng's picture

          This Trojan.Gen.2 which infected a file name scanquery.dll
          which located in c:\program files\scanquery\scanquery.dll

          is't that part norton file?? after restart and it still not resolve.
          any suggestion?

          Mithun Sanghavi's picture

          Hello,

          c:\program files\scanquery\scanquery.dll is not a part of Norton.

          This sounds like a threat itself.

          Please follow the Steps provided in the Article provided to check if there are any more threats on your machine :

           

          Using Symantec Support Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team. 
           
           
           
           

          Mithun Sanghavi
          Senior Consultant
          MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

          Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

          Thomas K's picture

          @ AndersonAng, Threat Expert reports scanquery.dll as a threat..

          http://www.threatexpert.com/reports.aspx?find=scan...

           

          Try downloading the latest rapid release definitions and run a full scan in safe-mode. Let us know if the threat gets detected and cleaned. As Mithun stated, submit the file(s) to Symantec for analysis ASAP.

          nmc@nmc.co.in's picture

          I am using symantec endpoint protection 12.1, one of my system is showing trojan.gen.2 infection in

          C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\SRTSP\Quarantine\APQ1893.tmp

          kindly help

           

          Anil Kumar